[WP] Add CSP and Content-Type-Options headers

We do this more reliably on HAProxy, as doing it from WP requires
specialised plugins and in DD we are sure that traffic goes through
the corresponding HAProxy backend.

dd-sso/docker/haproxy/haproxy.cnf.parts/backends.cnf

@@ -48,9 +48,9 @@ backend be_oof
 
 backend be_wp
 	mode http
-
-    http-request set-header X-SSL %[ssl_fc]
-    http-request set-header X-Forwarded-Proto https
+	# Add security headers here, as WP is a tad of a pain to setup
+	http-response set-header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data: *; style-src 'self' 'unsafe-inline' data: fonts.googleapis.com maxcdn.bootstrapcdn.com; font-src 'self' data: fonts.gstatic.com maxcdn.bootstrapcdn.com"
+	http-response set-header X-Content-Type-Options "nosniff"
 	server wp dd-apps-wordpress:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
 #
 # END: backends.cnf

dd-sso/docker/haproxy/haproxy.cnf.parts/bind-direct.cnf

@@ -12,6 +12,9 @@
   http-request del-header X-Forwarded-Proto
   # But add our forwarding headers instead
   option forwardfor
+  # We are always doing TLS, except for redirections
+  http-request set-header X-SSL %[ssl_fc]
+  http-request set-header X-Forwarded-Proto https
 
   # New line to test URI to see if its a letsencrypt request
   acl letsencrypt-acl path_beg /.well-known/acme-challenge/